dridex | 331b081d4f8a8c846b6f54ed1309c8b13802449ae5a412bacdd1beb40d032835

General

Target

88bf0cec0a0950513347f76e77b77f06_JaffaCakes118.dll
Size

1.2MB
MD5

88bf0cec0a0950513347f76e77b77f06
SHA1

5109dea79b1e2bb2086e1fda0cfb197ac78e90b5
SHA256

331b081d4f8a8c846b6f54ed1309c8b13802449ae5a412bacdd1beb40d032835
SHA512

0f4bd97642aa68d69154d8e5f42c00e2c0bb4c96877397dca25b6c7c473771e51e558df007812bc8e994614e3ce238309e5b9141cfa3def4d554acf9ef0659ce
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3444-4-0x0000000001220000-0x0000000001221000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemSettingsRemoveDevice.exesigverif.exeApplySettingsTemplateCatalog.exe

pid process

3852 SystemSettingsRemoveDevice.exe
4472 sigverif.exe
5112 ApplySettingsTemplateCatalog.exe
Loads dropped DLL 3 IoCs

Processes:

SystemSettingsRemoveDevice.exesigverif.exeApplySettingsTemplateCatalog.exe

pid process

3852 SystemSettingsRemoveDevice.exe
4472 sigverif.exe
5112 ApplySettingsTemplateCatalog.exe

pid	process
3852	SystemSettingsRemoveDevice.exe
4472	sigverif.exe
5112	ApplySettingsTemplateCatalog.exe

pid	process
3852	SystemSettingsRemoveDevice.exe
4472	sigverif.exe
5112	ApplySettingsTemplateCatalog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Pch8xta\\sigverif.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ApplySettingsTemplateCatalog.exerundll32.exeSystemSettingsRemoveDevice.exesigverif.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3444 wrote to memory of 656	3444	SystemSettingsRemoveDevice.exe
PID 3444 wrote to memory of 656	3444	SystemSettingsRemoveDevice.exe
PID 3444 wrote to memory of 3852	3444	SystemSettingsRemoveDevice.exe
PID 3444 wrote to memory of 3852	3444	SystemSettingsRemoveDevice.exe
PID 3444 wrote to memory of 3848	3444	sigverif.exe
PID 3444 wrote to memory of 3848	3444	sigverif.exe
PID 3444 wrote to memory of 4472	3444	sigverif.exe
PID 3444 wrote to memory of 4472	3444	sigverif.exe
PID 3444 wrote to memory of 1588	3444	ApplySettingsTemplateCatalog.exe
PID 3444 wrote to memory of 1588	3444	ApplySettingsTemplateCatalog.exe
PID 3444 wrote to memory of 5112	3444	ApplySettingsTemplateCatalog.exe
PID 3444 wrote to memory of 5112	3444	ApplySettingsTemplateCatalog.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88bf0cec0a0950513347f76e77b77f06_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:656

C:\Users\Admin\AppData\Local\GZxrG\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\GZxrG\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3852

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:3848

C:\Users\Admin\AppData\Local\M62mJ9\sigverif.exe
C:\Users\Admin\AppData\Local\M62mJ9\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4472

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:1588

C:\Users\Admin\AppData\Local\aMlp2YEc\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\aMlp2YEc\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GZxrG\DUI70.dll
Filesize
1.5MB

MD5
84336b14f4922b2ea967b5102a4e0d38

SHA1
53af24cf71c36af825ce63e2ee4aede635c8e890

SHA256
6da1b953539f7368e86109e4512fc8e9006f53860a5040ca1eb4cae052fe12c8

SHA512
9492b4e40956b5431100745af8abc63d4cb6bfdfc9779cb78b5c50256525ee65ba3d27c262d8a2ea0fc1163ab12f10b7ea5ba58685003a7c7a3e17d58f5bb529

Download Submit
C:\Users\Admin\AppData\Local\GZxrG\SystemSettingsRemoveDevice.exe
Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\M62mJ9\VERSION.dll
Filesize
1.2MB

MD5
8b9401c50ff5b224f5861af5183f5530

SHA1
214d0ef5346363f0271f82ea053e0fbf5c7557a0

SHA256
af4714a079fafa32472217c4eb871e25aa0a13cb0e6649c331afab5c2b9f8a8d

SHA512
cc0d420417e6dbb7ef1789aa1565f1e3829edd4912c9766051bd1784b19079c8d38ebef0e27f6a409c13b4781e70caf1b87861953b91c74194eaa8fd112e1d6d

Download Submit
C:\Users\Admin\AppData\Local\M62mJ9\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\aMlp2YEc\ACTIVEDS.dll
Filesize
1.2MB

MD5
dae6a59a17b74709f9d60e350eadf3b3

SHA1
bc3bc63639927e79591d633cdddde66c3513d29b

SHA256
eb67a4b11b1a18e843f3d8fbe27df3f48e3a4c3570b1d579c1b55edca65753ed

SHA512
f08fd193a25abaa5b8cbbdb08814c05aa21fbb8308cbe5d57f3bc8010a2e46e821dfadec8feb1c4b4ad5b4ddfaddc0202f2d02a13f6894aefc961135ca5e7775

Download Submit
C:\Users\Admin\AppData\Local\aMlp2YEc\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
37ce6df981d1b8ac7ad28f3c02b10f25

SHA1
74fb693f920fde3220406cf8cdc0b9e2caff9fe9

SHA256
dea5deef374a2fc75d8bb0007686179f15a1925de48d5bdf9874915de3d38959

SHA512
e7f9189eedfec631b65e4c07052ab9d3fd9a3db9f73f4bc208eb798ba47e2d232787f0b8443e0cad359988da6ff29c6a15e0eb67bd0a7f4759e64bf0bb32d023

Download Submit
memory/212-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/212-3-0x00007FFA711A0000-0x00007FFA718DF000-memory.dmp

Filesize
7.2MB

Download
memory/212-40-0x00007FFA711A0000-0x00007FFA718DF000-memory.dmp

Filesize
7.2MB

Download
memory/212-39-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-6-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-33-0x00007FFA70CDA000-0x00007FFA70CDB000-memory.dmp

Filesize
4KB

Download
memory/3444-34-0x0000000000EF0000-0x0000000000EF7000-memory.dmp

Filesize
28KB

Download
memory/3444-35-0x00007FFA71DD0000-0x00007FFA71DE0000-memory.dmp

Filesize
64KB

Download
memory/3444-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-4-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/3444-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-36-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3444-24-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3852-47-0x000001A886A10000-0x000001A886A17000-memory.dmp

Filesize
28KB

Download
memory/3852-53-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3852-48-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4472-65-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4472-70-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4472-64-0x0000013DBDC40000-0x0000013DBDC47000-memory.dmp

Filesize
28KB

Download
memory/5112-81-0x0000020330920000-0x0000020330927000-memory.dmp

Filesize
28KB

Download
memory/5112-87-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads